Trade group objects to proposed NIST mobile security guidelines

A mobile security technology proposal drafted by the National Institute of Standards and Technology (NIST) is being soundly rejected by one of the main trade groups representing a broad cross-section of industry.

NIST's "Guidelines on Hardware-Rooted Security in Mobile Devices," issued in draft form in October and out for public comment until last Friday, has drawn sharp criticism from the Telecommunications Industry Association, which labeled NIST's proposal as "over-prescriptive" because it "suggests that security in mobile devices can only be realized using a specific architectural implementation of secure or trustworthy environment, namely the Trusted Platform Module (TPM) architecture specified by the Trusted Computing Group (TCG).

TPM is "one way to implement security in mobile devices but it's isn't the only way," said Brian Scarpelli, senior manager of government affairs at Arlington, Va.-based TIA, adding that software-based security can also be relied on. He indicated the TIA membership of carriers and software vendors would prefer not to have to adhere to a specific implementation to meet new federal guidelines for mobile devices, and TIA is reaching out to NIST to voice its objections. TIA industry membership includes carriers such as Verizon Communications and Sprint Nextel, as well as Apple, Dell and VMware.

The TPM specification from the TCG is a hardware-based cryptographic-processing technology that can be used for several security purposes, primarily device integrity. TPM is used in desktops and servers but not mobile devices at present. The National Security Agency, for example, which influences technology decisions made at the U.S. Department of Defense, has been an enthusiastic proponent of TPM.

TPM exists in much internal computer hardware today, though it appears to suffer from lack of widespread deployment in part due to lack of applications making it easy to deploy.

NIST argues for TPM by saying that "many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts."

NIST says it wants to "accelerate industry efforts" to use hardware-rooted trust technologies, and specifically TPM, in mobile devices such as smartphones and tablets that the federal government would acquire. NIST criticizes today's mobile devices, saying they are "vulnerable to 'jailbreaking' and 'rooting,' which provide device owners with greater flexibility and control over the devices, but also bypass important security features which may introduce vulnerabilities."

NIST asserts in its guidelines proposal that TPM and hardware-based root of trust is the model the federal government would like to see for use in assuring device integrity and verification, and that this would also help the government in adopting a bring-your-own-device approach where government employees could use their personally owned devices for work as well.

In its rebuttal to the NIST proposal, TIA's comments reject NIST's contention that "mobile devices are not as secure as laptops and personal computers," calling NIST's statements "inaccurate reflections of the state-of-the-art security supported by today's smartphones and tablets. Today's smartphones and tablet implementations support immutable, hardware-based root of trust that provide security features equivalent to those supported by laptops and personal computers."

In its comments, TIA pleads with NIST to reconsider its drafted guidelines proposal for mobile. "We urge NIST to ensure that any security requirements that it places on Federal agencies do not in effect cause the information and communications technology (ICT) manufacturers and vendors on which these agencies rely to choose between either making significant design and/or system alterations inconsistent with existing measures taken to ensure that private information systems are secure or to refrain from directly participating in the Federal market."

The TIA adds, "If this were to happen, it would bifurcate the ICT market that currently successfully serves both government and private entity alike, and would deprive Federal users of the benefits of the dynamic private research and development ecosystem."

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.